Professional Documents
Culture Documents
DNV-OS-D202
© Det Norske Veritas. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including
photocopying and recording, without the prior written consent of Det Norske Veritas.
If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such person
for his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-
sation shall never exceed USD 2 million.
In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of Det
Norske Veritas.
Offshore Standard DNV-OS-D202, October 2008
Changes – Page 3
CONTENTS
C 400 Requirements for preservation of night vision (UIDs B. Design Principles ..................................................................33
and VDUs for installation on the navigating bridge) ......31 B 100 General ............................................................................33
D. Screen Based Systems .......................................................... 31 C. System Design ......................................................................33
D 100 General ............................................................................31 C 100 General ............................................................................33
D 200 Illumination .....................................................................31
D 300 Colour screens.................................................................31 D. Additional Requirements for Computer Based Systems ......33
D 400 Computer dialogue ..........................................................31 D 100 General ............................................................................33
D 500 Application screen views ................................................31 E. Component Design and Installation......................................34
E 100 General ............................................................................34
Sec. 6 Supplementary Requirements for Drilling
Units ..................................................................... 32 F. User Interface........................................................................34
F 100 General ............................................................................34
A. General.................................................................................. 32
A 100 Introduction.....................................................................32 CH. 3 CERTIFICATION AND CLASSIFICATION 35
B. Design Principles.................................................................. 32 Sec. 1 Certification and Classification -
B 100 General ............................................................................32 Requirements ...................................................... 37
C. System Design ...................................................................... 32 A. General..................................................................................37
C 100 General ............................................................................32 A 100 Introduction.....................................................................37
A 200 Organisation of Ch.3 .......................................................37
D. Additional Requirements for Computer Based Systems ...... 32 A 300 Classification principles..................................................37
D 100 General ............................................................................32
B. Documentation......................................................................37
E. Component Design and Installation ..................................... 32 B 100 General ............................................................................37
E 100 General ............................................................................32
C. Certification ..........................................................................41
F. User Interface ....................................................................... 32 C 100 General ............................................................................41
F 100 General ............................................................................32 D. Inspection and Testing..........................................................42
D 100 Manufacturing survey .....................................................42
Sec. 7 Supplementary Requirements for Production D 200 On board testing ..............................................................42
and Storage Units ................................................ 33 D 300 Renewal survey ...............................................................42
A. General.................................................................................. 33 E. Alterations and Additions .....................................................42
A 100 Introduction.....................................................................33 E 100 General ............................................................................42
CHAPTER 1
INTRODUCTION
CONTENTS PAGE
Sec. 1 General ...................................................................................................................................... 9
SECTION 1
GENERAL
Other equipment items do not, whether they are implemented Guidance note:
locally or remotely, belong to the field instrumentation. This The best separation that is reasonably practicable in order to min-
applies to data communication and facilities for data acquisi- imise the chances of a single incident affecting both systems
tion and pre-processing of information utilised by remote sys- should be applied. Redundant controllers in the same cabinet are
tems. considered to be acceptable because the cabinet is located in a
well protected “safe” area.
212 Process segment: A collection of mechanical equipment
with its related field instrumentation, e.g. a machinery or a pip- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ing system. Process segments belonging to essential systems
are referred to as essential. 227 Warning: An indication of equipment under control
(EUC) or system state that needs attention.
213 Integrated system: A combination of computer based
systems which are interconnected in order to allow common 228 Approval centre: The body that is performing the verifi-
access to sensor information and/or command or control. cation of the design and/or fabrication surveys.
214 User: Any human being that will use a system or device, 229 Fire panel: A stand alone system for presenting of fire
e.g. captain, navigator, engineer, radio operator, stock-keeper, alarms and system failure.
etc. 230 A normally energised (NE) circuit: A circuit where
215 Workstation: Workstation is a work place at which one energy is present when the circuit is not activated by the acti-
or several tasks constituting a particular activity are carried out vating function.
and which provides the information and equipment required 231 A normally de-energised (NDE) circuit: A circuit where
for safe performance of the tasks. energy is present when the circuit is activated by the activating
216 System availability: The time the system is available. function.
217 Equipment under control (EUC): The mechanical equip- C 300 Terms related to computer based system
ment (machinery, pumps, valves, etc.) or environment (smoke, 301 Complex system: A system for which all functional and
fire, waves, etc.) monitored and/or controlled by an automation failure response properties for the completed system cannot be
and safety system. tested with reasonable efforts. Systems handling application
218 Process: The result of the action performed by the EUC. software belonging to several functions, and software that
includes simulation, calculation and decision support modules
219 Indications: The visual presentation of values for the are normally considered as complex.
EUC or system status to a user (lamps, dials, VDU displays,
etc.). 302 Computer: A computer includes any programmable
electronic system, including main-frame, mini-computer or
220 Uninterruptible power supply (UPS): A device supply- micro-computer (PLC).
ing output power in some limited time period after loss of input
power with no interruption of the output power. 303 Visual display unit (VDU): Any area where information
is displayed including indicator lamps or panels, instruments,
221 Independency: Mutually Independent: Two systems mimic diagrams, and computer display monitors.
are mutually independent when a single system failure occur-
ring in either of the systems has no consequences for the main- 304 User input device (UID): Any device from which a user
tained operation of the other system as described above. may issue an input including handles, buttons, switches, key-
Redundancy may provide the necessary independence. board, joystick, pointing device, voice sensor and other control
Independent: System B is independent of system A when any devices.
single system failure occurring in system A has no effect on the 305 System software: Software used to control the computer
maintained operation of system B. A single system failure and to develop and run applications.
occurring in system B may affect the maintained operation of
system A. Guidance note:
Typically the Operating System or system firmware.
222 Redundancy: A system with redundancy is one with
duplication which prevents failure of the entire system in the ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
event of failure of a single component.
306 Application software: Standard software which is
223 Remote control system: Comprises all hardware and required for developing, running, configuring or compiling
software necessary to operate the EUC from a control position application software and project specific program(s) with asso-
where the operator cannot directly observe the effect of his ciated parameters which carry out operations related to the
actions. EUC being con-trolled or monitored.
224 Back-up control system: Comprises all hardware and 307 Software module: A small self-contained program which
software necessary to maintain control when main control sys- carries out a clearly defined task and is intended to operate
tems have failed, malfunctioned or are being maintained. within a larger program.
225 Safety and automation system: Term used for integrated 308 Function block: A small self-contained function with a
safety, automation, and/or telecommunication system. set of defined inputs and outputs that carries out a clearly
Guidance note: defined task and is intended to operate within an application
Other terms used for such systems are: Integrated Control and program.
Safety System (ICSS), Safety and Automation System (SAS), 309 Computer task: In a multiprocessing environment, this
Safety and Instrumentation System (SIS). means one or more sequences of instructions treated by a con-
The term is also commonly used on stand alone system not inte- trol program as an element of work to be accomplished by a
grated with other systems.
computer.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
310 Data communication links: This includes point to point
226 Separated: Terms used on cables, networks nodes, etc. links, instrument net and local area networks, normally used
to indicated that they are physically located with distance or for inter-computer communication on board units.
mechanical separation sufficient to prevent a single failure tak- A data communication link includes all software and hardware
ing out the entire function. necessary to support the data communication.
CHAPTER 2
TECHNICAL PROVISIONS
CONTENTS PAGE
Sec. 1 Design Principles...................................................................................................................... 15
Sec. 2 System Design.......................................................................................................................... 18
Sec. 3 Additional Requirements for Computer Based Systems.......................................................... 21
Sec. 4 Component Design and Installation ......................................................................................... 25
Sec. 5 User Interface ........................................................................................................................... 30
Sec. 6 Supplementary Requirements for Drilling Units ..................................................................... 32
Sec. 7 Supplementary Requirements for Production and Storage Units............................................. 33
SECTION 1
DESIGN PRINCIPLES
A. System Configuration as using other VDU’s to obtain detailed information about the
incident.
A 100 General ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
101 Essential and important systems shall be so arranged Guidance note:
that a single failure in one system cannot spread to another sys-
tem. The number of VDU’s and UID’s at control stations should be
sufficient to ensure that all functions may be provided for with
Guidance note: any one VDU or UID out of operation, taking into account any
The system should be designed so that a failure in the automation functions that should be continuously available.
function does not have any impact on the safety function. Other ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
items are use of selective fusing of electrical distribution sys-
tems.
A 500 Redundancy
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
501 Redundancy shall be built in to the extent necessary for
102 Failure of any safety and automation system shall initi- maintaining the safe operation of the unit. Changeover to
ate an audible and visual alarm at a manned control station and redundant systems shall be simple even in cases of failure of
shall not prevent manual control. parts of the safety and/or automation system.
502 Automatic switching between two systems shall not be
A 200 Field instrumentation dependent on only one of the systems.
201 The field instrumentation belonging to separate essential 503 The redundancy requirement shall imply redundant
process segments shall be mutually independent. communication links, power supplies, computers and operator
202 When the field instrumentation of a process segment is stations.
common for several systems, and any of these systems is Guidance note:
essential, failures in any of the systems shall not affect this Redundancy of computers should be limited to controllers with
field instrumentation. CPU’s; single I/O cards/modules are accepted. Consideration
should be given to the allocation of signals to I/O modules in
203 When manual emergency operation of an essential proc- order to minimise the consequences of a single card/module fail-
ess segment is required, the field instrumentation required for ure.
the manual emergency operation shall be independent of other Addressable loop detector systems with single CPU central units
parts of any system. are presently accepted for living quarter and marine areas as well
204 When traditional mechanical components are replaced as for drilling areas, but areas with more than one detector should
by electronic components, these components shall have the normally be covered by at least two loops, Consideration should
be given to distribution of detectors on different loops.
same reliability as the mechanical component being replaced.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note:
Electronic governors should have power supply independent of
other consumers and system availability of R0. Speed sensor
cabling should be mechanically well protected.
Electric or electronic fuel injectors should be designed to permit B. System Availability
the necessary functionality in case of the most probable failures.
B 100 General
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
101 The time the system is available, shall be adapted to the
redundancy requirements imposed on the system served.
A 300 System
102 Typical system availability for the different categories
301 For an essential system having more than one process are given in Table B1.
segment, failure in the field instrumentation of one process
segment shall not result in failure for the remaining parts of the Table B1 System availability
system. System category Repair time
A 400 Integrated systems Continuous availability (R0) None
High availability (R1) 30 s
401 Essential systems, excluding common process seg-
ments, shall be independent of other systems. Manual system restoration (R2) 10 minutes
Repairable systems (R3) 3 hours
402 Non-important systems or parts of non-important sys-
tems, which may affect essential or important systems shall B 200 Continuous availability (R0)
meet the requirement for the relevant system it is connected to.
201 A system serving a function that shall be continuously
403 UID’s for operation shall only be available at worksta- available shall be designed to provide no interrupts of the func-
tions from which operation is permitted. tion neither in normal operation modes nor in case of a single
404 There shall be sufficient VDU’s or other panels to system failure.
ensure both overview and detailed information for relevant 202 Changeover between redundant systems shall take place
safety systems. automatically and with no disturbances for the continuous
Guidance note:
operation of the function in case of system failure. User
requested changeovers shall be simple and easily initiated and
Sufficient overall status should be provided without browsing take place with no unavailable time for the function.
between screen pictures. This implies that it should be possible
to both have fixed overview of safety related information as well 203 User interfaces of redundant systems shall allow super-
C 200 Fail-safe functionality 103 The following shall be evaluated during test of computer
based system:
201 The most probable failures, for example loss of power or
wire failure, shall result in the least critical of any possible new — tools for system set-up and configuration of the EUC
conditions. — implementation of software quality plan.
104 The tests and visual examinations shall verify that all hardware and software. The test may also include several sys-
requirements given by the applicable DNV Offshore Standards tems.
are met. The test procedures shall specify in detail how the var- 402 System tests shall be performed with the software
ious functions shall be tested and what is to be observed during installed on the actual systems to be used on-board, intercon-
the tests. nected to demonstrate the functions of the systems.
105 Failures shall be simulated as realistically as possible,
preferably by letting the monitored parameters exceed the 403 The tests shall include those tests which were not or
alarm and safety limits. Alarm and safety limits shall be could not be completed on hardware component or software
checked. module level.
106 It shall be verified that all automation functions are F 500 On-board testing
working satisfactorily during normal load changes.
501 The testing shall demonstrate, verify and document full
F 200 Software module testing functionality of all automation and safety systems and shall
include:
201 Documentation of software module and function block
testing shall be available at the manufacturer's works. a) During installation the correct function of individual
202 Application software testing shall be performed to dem- equipment packages, together with establishment of cor-
onstrate functionality in accordance with design documenta- rect parameters for automation and safety (time constants,
tion with respect to the Equipment Under Control (EUC), set points, etc.).
including the Operator interface. b) During installation and sea trials, the correct function of
systems and integration of systems, including the ability of
F 300 Integration testing the automation and safety systems to keep any EUC within
301 Integration tests includes integration of hardware com- the specified tolerances and carry out all safety/protective
ponents and integration of software modules into the same actions.
hardware.
c) The correct distribution, protection and capacity of power
302 Integration tests shall be performed with the actual soft- supplies.
ware and hardware to be used on board and shall include:
d) Back-up and emergency automation and safety functions
a) Hardware tests; for essential unit/installation systems.
- hardware failures. Guidance note:
b) System software tests; The tests should demonstrate that the essential installation func-
- System software failures. tions are operable on the available back-up means of operation
(as required in the relevant application standard), and in a situa-
c) Application software tests. tion where the normal system is disabled as far as practical.
d) Function tests of normal system operation and normal ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
EUC performance, in accordance with the requirements of
the DNV Offshore Standards. Function tests are also to 502 A copy of the approved test programme shall be kept on
include a degree of performance testing outside of the nor- the installation, completed with final set points.
mal operating parameters.
503 The test program for harbour and sea trials shall be
e) User interface tests. approved prior to tests by the Approval centre.
Guidance note:
504 Hydraulic automation and shut-down systems with on or
The tests may be done on a representative test system if the com-
puter hardware is type approved. off regulation shall be tested with maximum return flow to ver-
ify that return headers are adequately sized and free of block-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ages which could prevent correct system performance.
505 For pneumatic and hydraulic automation systems with
F 400 System testing accumulators used to ensure fail safe operation, tests shall
401 System tests includes the entire system, integrating all include verification of accumulator charge level and capacity.
SECTION 2
SYSTEM DESIGN
A. System Elements 304 Actual control shall not be transferred before acknowl-
edged by the receiving command location unless the command
A 100 General locations are located close enough to allow direct visual and
101 A system consists of one or several system elements audible contact. Transfer of control shall give audible warning.
where each system element serves a specific function. The main command location shall be able to take control with-
out acknowledgement, but an audible warning must be given
102 System elements belong to the categories: at the work station that thereby lose control either partly or
completely. The device for taking control shall not be inte-
— automation system grated in the normal operating devices (e.g. levers or pushbut-
— remote control tons).
— alarm
— safety Guidance note:
— indications Examples of situations where audible warning should be given:
— planning and reporting
— calculation, simulation and decision support. 1) autopilot losing control of one out of two rudders/thrusters,
2) autopilot losing control of a single rudder/thrusters when
103 The safety and automation system shall be designed as manual control is taken from the lever/wheel,
mutually independent systems. The different elements must 3) control panel on bridge for mechanically driven propulsion
not be designed as one combined system, where safety func- thrusters loosing control of engine rpm or propeller pitch
tions are combined with automation functions. when control is taken from ECR or locally.
Guidance note:
Mutual independency is required on each node such as ESD/ ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
PSD, F&G, PCS, VMS, and DCS as applicable, while Operator
Stations for each node is accepted on a common redundant net- Guidance note:
work provided robustness against common failures (i.e. network There may be several main command locations on different lev-
storm). els. For example: for remote control of propulsion machinery, the
The exception is safety system for load reduction, i.e. for propul- engine control room is normally the main control station. For
sion engines. remote control of propulsion thrusters however, the bridge is the
main work station as the propulsion control is integrated with the
Manufactures that delivers parts of a larger system should also steering function for which the bridge is main control position.
meet the requirements of independence between automation and
safety functions. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
305 Means shall be provided to prevent significant alteration
of process equipment parameters when transferring control
A 200 Automation system from one location to another or from one means or mode of
201 The automation system shall keep process equipment operation to another. If this involves manual alignment of con-
variables within the limits specified for the process equipment trol levers, indicators shall show how the levers are to be set to
(e.g. the machinery) during normal working conditions. become aligned, and it shall not be possible to bypass the align-
ment process.
202 The automation system shall be stable over the entire
control range. The margin of stability shall be sufficient to 306 On each alternative command location, it shall be indi-
ensure that variations in the parameters of the controlled proc- cated when this location is in control.
ess equipment that may be expected under normal conditions, 307 Control system elements shall include safety interlocks
will not cause instability. The automation system element shall when the consequence of erroneous user actions may lead to
be able to accomplish the function it shall serve. major damages or loss of essential or important functions.
203 Automatic functions such as automatic starting and 308 Safety interlocks in different parts of the systems shall
other automatic operations, when relevant, shall include provi- not conflict with each other.
sions for manually overriding the automatic controls unless
designed according to SOLAS Ch. II-1/31.1 and 31.5.1 or safe Basic safety interlocks shall be hardwired and shall be active
manual operation is not feasible. Failure of any part of such during remote and local operation.
systems shall not prevent the use of the manual override. Guidance note:
204 In closed loop systems, feedback failures shall initiate an Hardwired safety interlocks should not be overridden by pro-
alarm, and the system shall fail to safety which normally grammable interlocks.
implies either to remain in its present state or move controlled ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
to a predefined safe state.
205 Remote control of important and essential systems shall A 400 Safety
meet the requirements described in Sec.2 and Sec.3 as applicable.
401 A safety system element shall be arranged to automati-
A 300 Propulsion remote control cally take safety actions on occurrence of predefined abnormal
states for the EUC. The corresponding system element
301 At the remote command location, the user shall receive includes all resources required to execute these actions. Where
continuous information on the effects of his or her orders. fail safe condition is defined as "continue" for essential sys-
302 One command location is to be designated as the main tems, a failure in the loop monitoring shall initiate an alarm and
command location. The main command location is to be inde- not stop the unit. Where loop failure monitoring is not possi-
pendent of other command locations. ble, a two out of two voting system may be accepted.
303 When control is possible from several locations, only For fail safe condition reference is made to DNV-OS-A101
one shall be in control at a time. Sec.5 C
402 The safety system element shall be so designed that the Guidance note:
most probable failures, for example loss of power supply or For PA/GA alarms see DNV-OS-A101 Sec.6 F for details.
wire failure, result in the least critical of any possible new con-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
dition (fail to safety) taking into consideration the safety of the
machinery itself as well as the safety of the vessel/unit. 602 Visual alarms shall be easily distinguishable from other
403 Automatic safety actions shall initiate alarm at manned indications by use of colour and special representation.
workstations. Guidance note:
404 When the safety system element stops an EUC, the EUC In view of standardising, visual alarm signals should preferably
shall not start again automatically. be red. Special representation may be a symbol.
612 The more frequent failures within the alarm system, autopilot or load plan used as input for automatic or user assisted
such as broken connections to measuring elements, shall initi- sequence control of the loading.
ate alarm. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
613 Interlocking of alarms shall be arranged so that the most
probable failures in the interlocking system, for example bro- Guidance note:
ken connection in external wiring, do not prevent alarms. Planning and reporting functions are used to present a user with
information to plan future actions.
614 Blocking of alarm and safety functions in certain operat-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ing modes (for example during start-up) shall be automatically
disabled in other modes.
A 900 Calculation, simulation and decision support
615 It shall be possible to delay alarms to prevent false
alarms due to normal transient conditions. 901 Output from calculation, simulation or decision support
modules shall not suppress basic information necessary to
A 700 Indication allow safe operation of essential and important functions.
701 Indications sufficient to allow safe operation of essential Guidance note:
and important functions shall be installed at all control loca- Output from calculation, simulation or decision support modules
tions from where the function shall be accomplished. Alarms may be presented as additional information.
are not considered as substitutes for indications for this pur- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
pose.
Guidance note:
It is advised that indicating and recording instruments are cen-
tralised and arranged to facilitate watch-keeping, for example by B. General Requirements
standardising the scales, applying mimic diagrams, and similar.
B 100 System operation and maintenance
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
101 Prior to restart after a shut-down, the situation resulting
702 Adequate illumination shall be provided in the equip- in the shut-down shall be cleared and be reset prior to restart.
ment or in the vessel/unit to enable identification of controls 102 Start-ups and restarts shall be possible without special-
and facilitate reading of indicators at all times. Means shall be ised system knowledge. On power-up and restoration after loss
provided for dimming the output of any equipment light source of power, the system shall be restored and resume operation
which is capable of interfering with navigation. automatically, where applicable.
703 Indication panels shall be provided with a lamp test 103 Testing of essential systems and alarm systems shall be
function. possible during normal operation. The system shall not remain
in test mode unintentionally.
A 800 Planning and reporting
Guidance note:
801 Planning and reporting system elements shall have no Automatic return to operation mode or alarm should be arranged.
outputs for real-time process equipment control during plan-
ning mode. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note:
B 200 Power distribution
The output may however be used to set up premises for process
equipment control, for example route plan used as input to an 201 Requirements are given in DNV-OS-D201.
SECTION 3
ADDITIONAL REQUIREMENTS FOR COMPUTER BASED SYSTEMS
The operator should only have access to the application(s) related complete and valid specifications
to the operation of the functions covered by the system according — ensure that software purchased from other parties has an
to 501, while access to other applications or installations of such, acceptable track record and is subject to adequate testing
should be prevented. Hot keys normally giving access to other
functions or program exits (Alt+Tab, Ctrl+Esc, Alt+Esc, double- — impose a full control of software releases and versions
clicking in background, etc.) must be disabled. during manufacturing, installation onboard and during the
operational phase
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- — ensure that program modules are subject to syntax and
function testing as part of the manufacturing process
802 Unauthorised access to essential and important systems — minimise the probability of execution failures.
from a position outside the unit shall not be possible. Ref. also
to Ch.1 Sec.1 A405 for remote diagnostics and maintenance. Guidance note:
Typical execution failures are:
- deadlocks
- infinite loops
B. System Software - division by zero
- inadvertent overwriting of memory areas
B 100 Software requirements - erroneous input data.
101 Application software shall, to the extent possible, be ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
standardised with the flexibility to provide the required func-
tionality for an individual system by simple configuration and 202 The actions taken to comply with 201 shall be docu-
parameterisation (ie. with minimal need for high level pro- mented and implemented, and the execution of these actions
gramming). shall be retraceable. The documentation shall include a brief
102 Application software shall be realised using standard description of all tests that apply to the system (hardware and
software modules (eg. function blocks) to the greatest extent software), with a description of the tests that are intended to be
possible. The software modules shall have the flexibility to made by sub-vendors, those to be carried out at the manufac-
provide individual application functionality by use of simple turer’s works and those to remain until installation onboard.
configuration and parametrisation. The use of high level pro- 203 When novel software is developed for essential systems,
gramming shall be minimised. third party "approval of the manufacturer" may be required,
103 The application software, software modules and func- either prior to or as part of the actual product development.
tion blocks shall encourage consistent programming of func-
tions within the system as well as maximising the consistency
of operation and consistency of presentation of information to
the Operator. C. Network Systems and Communication Links
104 System set-up, configuration to suit the EUC and the set- C 100 General
ting of parameters for the EUC onboard shall take place with- 101 All nodes in a network shall be synchronized to allow a
out modification of program code or recompilation. Facilities uniform time tagging of alarms (and events) to enable a proper
shall be provided to allow simple back-up and restoration of sequential logging.
Operator configured parameters.
Guidance note:
Guidance note:
If information is received from a source where time tagging is not
When the setting of parameters is equivalent to programming practical, it is accepted that the time tagging is done at the receiv-
then version identification of these settings shall be available. ing node in the network, at the earliest possible time.
Version identification may be a check sum.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
102 The network shall be designed with adequate immunity
105 Running software versions shall be uniquely identified to withstand the possible noise exposure in relevant areas.
by number, date or other appropriate means. This shall apply
for all system software (including third party software pack- Guidance note:
ages) and all application software. Modifications shall not be This implies e.g. use of fibre optical cable in areas of high noise
made without also changing the version identifier. A record of exposure from high voltage equipment.
changes to the system since the original issue (and their identi- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
fication) shall be maintained and made available to the inspec-
tion party on request 103 Systems or components not considered to be a necessary
Guidance note: part of the automation and safety functions shall not be con-
For integrated systems, identification should be available in the nected to the system.
system overview. Guidance note:
For any screen based system, identification should be readily Miscellaneous office- or entertainment functions should not be
available on the VDU during normal operation. connected to the automation and safety system.
PROMs should be labelled. It is normally not considered acceptable to include CCTV as part
of the automation and safety system.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
B 200 Software manufacturing 104 It shall be possible to maintain emergency operation of
201 All relevant actions shall be taken during manufacturing the vessel/units main functions independent of network status.
of software for a complex system to ensure that the probability This may imply that essential nodes hosting emergency opera-
of errors to occur in the program code is reduced to an accept- tion functionality shall be able to work autonomously, and
able level. with necessary operator interface independent of the network.
Relevant actions shall at least include actions to: Guidance note:
Main functions are considered to be as defined in Rules for Clas-
— ensure that the programming of applications is based on sification of Ships, Pt.1 Ch.1 Sec.1.
To be demonstrated during commissioning/sea-trial. excessive network traffic or consume extra resources that may
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
degrade the network performance.
Guidance note:
105 Any network integrating ICSS shall be single point of This may imply that the nodes and network components should
failure-tolerant. This normally implies that the network with its have properties to monitor it's own communication through the
necessary components and cables shall be designed with ade- network, and to be able to detect, alarm and respond in a prede-
quate redundancy. fined manner in case of an excessive traffic event.
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
If the fault tolerance is based on other design principles, e.g. a
ring net, the fault tolerance should be documented specifically. 302 The network (traffic) performance shall be continuously
The requirement applies to the network containing the integrated monitored, and alarms shall be generated if malfunctions or
ICSS, and not eventual external communication links to single reduced/degraded capacity occurs. The alarm detail level shall
controllers, remote I/O or similar (e.g. a serial line to an inter- be sufficient to clearly identify the cause of the failure and
faced controller) when such units otherwise can be accepted related modules shall go to fail safe condition if necessary.
without redundancy.
303 Important inter-node signals shall reach the recipient
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- within a pre-defined time. Any malfunctions shall be alarmed
and nodes shall go to fail safe condition if necessary.
106 Cables and network components belonging to redundant
networks shall be physically separated in exposed areas; by Guidance note:
separate cable routing and installation of network components The 'pre-defined time' shall as a minimum correspond to the time
belonging to the redundant network in separate cabinets, constants in the EUC, which implies that the detection and alarm-
power supply to such units included. ing should be initiated quickly enough to enable appropriate
operator intervention to secure the operation of the EUC.
Guidance note:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Exposed areas in this context means machinery spaces category
A, hazardous areas and areas where operational incidents may
lead to damage of equipment. 304 When different main systems are integrated in a com-
mon network, the network topology shall be designed with
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- physical segmentation where each main system is allocated to
different segments. The integrity and autonomy of each seg-
107 It shall not be possible for unauthorised personnel to ment shall be secured with appropriate network components,
connect equipment to the ICSS network or otherwise have e.g. firewalls or routers. It shall be possible to protect each seg-
access to such network. ment from unnecessary traffic on the remaining network, and
Guidance note: each segment shall be able to work autonomously.
This pertain to both communication onboard the unit / installa- 305 If the automation and safety system is connected to
tion (e.g. that there should be no connectors available for unau- administrative networks, the connection principle shall ensure
thorised access on network components like e.g. switches) as that any function or failure in the administrative net can not
well as remotely via external communication.
harmfully affect the functionality of the automation and safety
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- system. The administrative functions shall be hosted in sepa-
rate servers and shall, if at all necessary, have 'read only' access
108 Any powered network component controlling the net- to the control network.
work traffic shall automatically resume to normal operation
Guidance note:
upon restoration of power after a power failure.
The 'administrative network' in this connection may contain
C 200 Serial communication functions like e.g. report generation, process analysis, decision
support etc, i.e. functions that by definition are not essential for
201 Failure in a node shall not have any effect on the remain- vessel operation and not covered by the offshore standard.
ing part of the data communication link and vice versa.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
202 Data communication links shall be automatically initial-
ised on power on. After a power interruption, the links shall 306 Systems allowing for remote connection (e.g. via Inter-
regain normal operation without manual intervention. net), for e.g. remote diagnostics or maintenance purposes, shall
203 The capacity of the data communication link shall be be secured with sufficient means to prevent unauthorised
sufficient to prevent overload at any time. access, and functions to maintain the security of the control
and monitoring system. The security properties shall be docu-
204 The data communication link shall be self-checking, mented.
detecting failures on the link itself and data communication Guidance note:
failures on nodes connected to the link. Detected failures shall
initiate an alarm on dedicated workstations. Any remote access to the control system should be authorised
onboard. The system should have appropriate virus protection
205 For essential and important functions, means shall be also related to the possibility of infection via the remote connec-
provided to prevent the acceptance of corrupted data at the tion.
receiving node. If remote connection for e.g. the above purposes is possible, the
function is subject to special considerations and case-by-case
206 When two or more essential functions are using the same approval.
data communication link, this link shall be redundant.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
207 Redundant data communication links shall be routed
with as much separation as practical. 307 Virtual networks (VLAN) is not considered satisfactory
to meet the requirements for network segmentation as speci-
C 300 Network communication fied paragraph 204.
301 All network components controlling the network traffic
and nodes communicating over the network shall be designed C 400 Network analysis
with inherent properties to prevent network overload at any 401 The automation and safety systems network with its
time. This implies that neither the nodes nor the network com- components, connected nodes, communication links (also
ponents shall, intentionally or erroneously, be able to generate external interfaces) shall be subject to an analysis where all rel-
SECTION 4
COMPONENT DESIGN AND INSTALLATION
102 The different environmental parameter classes are 204 Power supply variations for equipment connected to bat-
defined in table B1. tery power sources:
Table B1 Parameter class for the different locations on board — +30% to −25% for equipment connected to battery during
Parameter Class Location charging
— +20% to −25% for equipment connected to battery not
A Machinery spaces, control rooms,
accommodation, bridge being charged
— voltage transients (up to 2 s duration) ±25% of nominal.
B Inside cabinets, desks, etc. with tem-
perature rise of 5°C or more installed B 300 Pneumatic and hydraulic power supply
in location A
Temperature 301 Nominal pressure ±20% (long and short time devia-
C Pump rooms, holds, rooms with no
heating tions).
D Open deck, masts and inside cabinets,
desks etc. with a temperature rise of B 400 Temperature
5°C or more installed in location C 401 Class A: Ambient temperatures +5°C to +55°C.
A Locations where special precautions
are taken to avoid condensation 402 Class B: Ambient temperatures +5°C to +70°C.
Humidity
B All locations except as specified for 403 Class C: Ambient temperatures –25°C to +55°C.
location A
404 Class D: Ambient temperatures –5°C to +70°C.
A On bulkheads, beams, deck, bridge
B On machinery such as internal com- B 500 Humidity
Vibration bustion engines, compressors, pumps,
including piping on such machinery 501 Class A: Relative humidity up to 96% at all relevant
temperatures, no condensation.
C Masts
A All locations except as specified for 502 Class B: Relative humidity up to 100% at all relevant
bridge and open deck temperatures.
EMC
B All locations including bridge and
open deck B 600 Salt contamination
Components and systems designed in compliance with IEC environ- 601 Salt-contaminated atmosphere up to 1 mg salt per m3 of
mental specifications for ships, Publication No. 60092-504 (1994), air, at all relevant temperatures and humidity conditions.
and for EMC, IEC Publication No. 60533, may be accepted after
consideration. B 700 Oil contamination
Guidance note: 701 Mist and droplets of fuel and lubricating oil. Oily fin-
gers.
For details on environmental conditions for instrumentation, see
Certification Note No. 2.4. B 800 Vibrations
Navigation and radio equipment should comply with IEC Publi- 801 Class A
cation No. 60945.
For EMC only, all other bridge-mounted equipment; equipment — frequency range 3 to 100 Hz
in close proximity to receiving antennas, and equipment capable — amplitude 1 mm (peak value) below 13.2 Hz
of interfering with safe navigation of the vessel/unit and with — acceleration amplitude 0.7 g above 13.2 Hz.
radio-communications should comply with IEC Publication No.
60945 (1996) Clause 9 (covered by EMC class B). 802 Class B
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- — frequency range 3 to 100 Hz
— amplitude 1.6 mm (peak value) below 25 Hz
B 200 Electric power supply — acceleration amplitude 4.0 g above 25 Hz.
201 Power supply failure with successive power breaks with 803 Class C
full power between breaks:
— frequency range 3 to 50 Hz
— 3 interruptions during 5 minutes — amplitude 3 mm (peak value) below 13.2 Hz
— switching-off time 30 s each case. — acceleration amplitude 2.1 g above 13.2 Hz.
202 Power supply variations for equipment connected to B 900 Electromagnetic compatibility
A.C. systems: 901 The minimum immunity requirements for equipment are
given in Table B2, and the maximum emission requirements
— combination of permanent frequency variations of are given in Table B3.
±5% and permanent voltage variations of +6 / −10% of
nominal Guidance note:
— combination of frequency transients (5 s duration) Electrical and electronic equipment should be designed to func-
±10% of nominal and voltage transients (1.5 s duration) tion without degradation or malfunction in their intended electro-
magnetic environment. The equipment should not adversely
±20% of nominal. affect the operation of, or be adversely affected by any other
equipment or systems used on board or in the vicinity of the ves-
203 Power supply variations for equipment connected to sel. Upon installation, it may be required to take adequate meas-
D.C. systems: ures to minimise the electromagnetic noise signals, see
Classification Note No. 45.1. Such measures may be in form of a
— voltage tolerance continuous ±10% of nominal list of electromagnetic noise generating- and sensitive equip-
ment, and an estimate on required noise reduction, i.e. an EMC
— voltage transients cyclic variation 5% of nominal management plan. Testing may also be required to demonstrate
— voltage ripple 10%. electromagnetic compatibility.
After installation, Optical Time Domain Reflectometry and accommodation, the dew point shall be more than 10°C
(OTDR) measurements for each fibre shall be used to correct below ambient temperature, but need normally not be lower
and re-evaluate the power budget calculations. than 5°C. The dew point of air flowing in pipes on open deck
703 The safety of personnel and operations shall be consid- shall be below –25°C.
ered in the installation procedures. Warning signs and labels 106 Reduction valves and filters shall be duplicated when
giving information to the operators shall be placed where haz- serving more than one function (e.g. more than one control
ard exists. Care must be taken to prevent fibres from penetrat- loop).
ing eyes or skin.
107 Piping and tubing to actuators and between actuators
Guidance note: and local accumulators should be hydrostatically tested to 1.5
It is advised to use equipment with ‘built-in’ safety, e.g. interlock times the system design pressure for minimum 15 minutes.
the power to the light sources with the covers, possible to discon-
nect or lock parts of the system under service, screen laser beams. 108 Local accumulators used as back up air supply for essen-
The safe distance between the light source or fibre end and the tial systems shall be designed and located or protected to min-
eye of the operator may be determined by applying the formula: imise the possibility of inadvertent isolation or mechanical
damage which could prevent correct operation on demand.
( P n + 10 )
L safe = ---------------------
- 109 Piping and tubing shall be cleaned and dried before con-
2 nected to control systems.
Safe distance: L (cm); Pn: Nominal power (mW) 110 Piping, tubing and components in systems required to
operate in a fire scenario shall have adequate fire resistance
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
properties to ensure correct system operation. This is particu-
704 Fibre optic systems using standard single and multimode larly important for systems where pneumatic energy is
fibres to be used for intrinsically safe circuits in hazardous required to operate or maintain control over the system.
areas shall have a power level below 10 mW.
D 200 Hydraulic equipment
201 System components and arrangement shall satisfy the
requirements in DNV-OS-D101.
D. Pneumatic and Hydraulic Equipment
202 Piping and tubing to actuators and between actuators
D 100 Pneumatic equipment and local accumulators should be hydrostatically tested to 1.5
times the system design pressure for 15 minutes.
101 Components requiring extremely clean air shall not be
used. Extremely small openings in air passages shall be 203 Local accumulators used as back up power supply for
avoided. essential systems shall be designed and located or protected to
102 Main pipes shall be inclined relative to the horizontal minimise the possibility of inadvertent isolation or mechanical
and drainage shall be arranged. damage which could prevent correct operation on demand.
103 Pipes and other equipment made of plastic materials 204 Piping, tubing and components in systems required to
may be used if they have satisfactory mechanical strength, low operate in a fire scenario shall have adequate fire resistance
thermoplasticity, high oil resistance, and flame retardation. properties to ensure correct system operation. This is particu-
See DNV-OS-D101. larly important for systems where hydraulic energy is required
to operate or maintain control over the system.
104 For air supply, the redundancy requirement of DNV-
OS-D101 applies for compressors, pressure reduction units, 205 Piping and tubing shall be flushed and cleaned before
filters and air treatment units (lubricator or oil mist injector and being connected to control systems.
dehumidifier). 206 Hydraulic oil return lines shall be designed with capac-
105 Air to instrumentation equipment shall be free from oil, ity to allow the maximum return flow during extreme condi-
moisture and other contaminations. Condensation shall not tions without reducing overall system performance. Care shall
occur at relevant pressures and temperatures. For air flowing in be taken to avoid the possibility of blockages at filters, vents or
pipes which are located entirely inside the machinery space by mechanical damage or inadvertent operation of valves.
SECTION 5
USER INTERFACE
A 100 Application
101 The requirements of this section apply for all DNV Off-
shore Standards class vessel/units. C. User Input Device and Visual Display Unit
Design
A 200 Introduction
C 100 User input devices
201 The location and design of the user interface shall give
consideration to the physical capabilities of the user and com- 101 The method of activating a UID shall be clear and unam-
ply with accepted ergonomic principles. biguous.
202 This section gives requirements for the user interface to 102 The direction of UID movements shall be consistent
ensure a safe and efficient operation of the systems installed. with the direction of associated process response and display
movement.
Guidance note:
The purpose should ensure easy and understandable operation,
B. Workstation Design and Arrangement e.g. a side thruster lever should be arranged athwart, a propulsion
thruster lever shall be arranged according to the vessel response.
B 100 Location of visual display units and user input The thruster response shall correspond to the lever movement.
devices
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
101 Workstations shall be arranged to provide the user with
easy access to UID’s, VDU’s and other facilities required for 103 The operation of a UID shall not obscure indicator ele-
the operation. ments where observation of these elements is necessary for
Guidance note: adjustments.
The VDU’s and UID’s should be arranged with due considera- 104 UID’s or combined UID’s or indicating elements shall
tion of the general availability parameters as shown in figure 1 be visually and tactually distinguishable from elements used
and 2. for indication only.
Guidance note:
Rectangular buttons should be used for UID elements, and round
lights for VDU elements. For screen based systems, a suitable
framing method should be chosen.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
SECTION 6
SUPPLEMENTARY REQUIREMENTS FOR DRILLING UNITS
SECTION 7
SUPPLEMENTARY REQUIREMENTS FOR PRODUCTION AND STORAGE
UNITS
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Cabinets of the distributed parts of the automation and safety sys- 102 Back-up means of operation, ref Sec.3 A201, shall con-
tem should withstand the Design Accidental Loads. tain the most important action functions and alarm indications
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- related to ESD and F&G detection, including activation of
active fire protection devices. (See Ch.2 Sec.5 C205).
Guidance note:
This will normally include:
F. User Interface — Release of foam systems and indication of foam system sta-
tus, if applicable,
F 100 General — Status of vessel boundary shutdown valves
101 There shall be sufficient VDU’s or other panels to — Gas detection status indication (flammable and toxic)
ensure overview and detailed information for relevant safety — Facilities for emergency relocation, if applicable (ref. DNV-
systems (Ref. Sec.1 A404). OS-D101, Ch.2 Sec.5 G305).
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Sufficient overall status should be provided without browsing
between screen pictures, including all shutdown valves within
the process plant.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
CHAPTER 3
CONTENTS PAGE
Sec. 1 Certification and Classification - Requirements ...................................................................... 37
SECTION 1
CERTIFICATION AND CLASSIFICATION - REQUIREMENTS
301 Classification of automation, safety, and telecommuni- 105 The documentation type number together with identifi-
cation systems shall generally be according to the principles cation of the automation and safety system can be used as a
of: unique identifier for the document. The "T" indicates that the
documentation type is required also for automation and safety
— document evaluation (see B) systems where type approved components or software mod-
— certification requirements (see C) ules are used.
— on-board inspection (visual inspection and functional test- 106 For a system subject to certification, documentation
ing). listed in Table B3 shall be available for the surveyor at testing
at the manufacturer.
Guidance note: 107 For on-board inspection, documentation listed in
The approval may be either case-by-case approval for each sys- Table B4 is required submitted to survey station.
tem, or type approval as specified in Certification Notes No. 1.2
and 2.4. 108 The documentation shall be limited to describe and
explain the relevant aspects governed by the rule requirements.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Guidance note:
Documentation for a specific automation and safety system
should be complete (as required in Table B2) in one submittal, to
the extent possible.
B. Documentation ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Table B2 Documentation required to describe the automation and safety system (Continued)
(typically submitted by manufacturers based upon their project specific specification)
Documentation type Information element Purpose
Failure mode and effect A failure modes and effect analysis (FMEA) is to be carried out for the entire system. The Information
analysis (FMEA) (Z071) (T) FMEA is to be sufficiently detailed to cover all the systems’ major components and is to
include but not be limited to the following information:
(Only when requested)
— a description of all the systems’ major components and a functional block diagram
showing their interaction with each other
— all significant failure modes
— the most predictable cause associated with each failure mode
— the transient effect of each failure on the vessel/unit’s position
— the method of detecting that the failure has occurred
— the effect of the failure upon the rest of the system’s ability to maintain station
— an analysis of possible common failure mode.
Where parts of the system are identified as non-redundant and where redundancy is not pos-
sible, these parts shall be further studied with consideration given to their reliability and
mechanical protection. The results of this further study shall be submitted for review.
Guidance note:
A project specific FMEA would normally only be expected when using new, unproven,
technology or to resolve any doubt as to the reliability of the chosen system topology.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
List of control & A list and or index identifying all input and output signals to the system as required in the Approval
monitored points (I110) (T) offshore standard, containing at least the following information:
—service description
—instrument tag-number
—system (control, safety, alarm, indication)
—type of signal (digital / analogue input / output).
Circuit diagrams (I150) —for essential hardwired circuits (for emergency stop, shutdown, interlocking, etc.) Approval
details of input and output devices and power source for each circuit.
Test program for testing at Description of test configuration and test simulation methods. Examination
the manufacturer (Z120) (T) Based upon the functional description, each test shall be described specifying:
— initial condition
— how to perform the test
— what to observe during the test and acceptance criteria for each test.
The tests shall cover all normal modes as well as failure modes identified in the functional
failure analysis, including power and communication failures.
Software quality plan, based The software life cycle activities shall minimum contain procedures for: Information
upon life cycle activities
(I140) (T) — software requirements specification
— parameters data requirements
(Shall be available during — software function test:
certification) — parameter data test
— validation testing
— system project files stored at the manufacturer
— software change handling and revision control.
Data sheets with — environmental conditions stipulated in Sec.4 for temperature, vibration, humidity, Information
environmental enclosure and EMC.
specifications (I080)
Cause and effect diagrams — Cause and effect matrix/chart for PSD, ESD and F&G, showing the various inputs and Approval
corresponding actions to be taken by the logic, where relevant.
Operation manual (Z160) A document intended for regular use on board, providing information as applicable about: Information
(Available during — operational mode for normal system performance, related to normal and abnormal per-
certification and to be kept formance of the EUC
on board) — operating instructions for normal and degraded operating modes
— details of the user interface
— transfer of control
— redundancy
— test facilities
— failure detection and identification facilities (automatic and manual)
— data security
— access restrictions
— special areas requiring user attention
— procedures for start-up
— procedures for restoration of functions
— procedures for data back-up
— procedures for software re-load and system regeneration.
Installation manual. (Z170) A document providing information about the installation procedures. Information
(Available during
certification)
Table B2 Documentation required to describe the automation and safety system (Continued)
(typically submitted by manufacturers based upon their project specific specification)
Documentation type Information element Purpose
Maintenance manual A document intended for regular use on board providing information about: Information
(Z180)
(Available during — maintenance and periodical testing
certification and to be kept — acceptance criteria
on board) — fault identification and repair
— list of the suppliers' service net
— vessel/unit’s systems’ software - maintenance log.
Test program for dock and — initial condition Examination
sea trials (Z140) — what to test
(Available during — how to perform the test
certification and to be kept — acceptance criteria for the test.
on board)
ESD and F&G overview A document showing the main ESD and F&G overview mimics. Information
mimics
CAAP Panel Layout A drawing showing layout of the CAAP panel with information showing all functions, Approval
feedbacks and alarms.
Network documentation The following information related to the network properties shall be included in the docu- Approval
requirements mentation submitted for approval:
— Topology and network details including power supply arrangement
— Functional description, with special focus on interfaces
— Identification of critical network components
— Qualitative reliability analysis (e.g. FMEA) Failure response test program.
Documentation of wireless The following information related to the wireless communication shall be included in the Approval
communication documentation submitted for approval:
— Functional Description
— ISM certificate(IEEE802) from a licence authority (typical flag state) or alternatively
applicable test reports
— Single line drawings of the WLAN topology with power arrangements
— Specification of frequency band(s), power output and power management
— Specification of modulation type and data protocol
— Description of integrity and authenticity measures.
Software quality plan, The software life cycle activities shall minimum contain procedures for: Information
based upon life cycle
activities — software requirements specification
(Available for informa- — parameters data requirements
tion at testing at the man- — software function test:
ufacturer) — parameter data test
— validation testing
— system project files stored at the manufacturer
— software change handling and revision control.
Operation manual A document intended for regular use on board, providing information as applicable Information
(Available for informa- about:
tion at testing at the man-
ufacturer) — operational mode for normal system performance, related to normal and abnormal per-
formance of the EUC
— operating instructions for normal and degraded operating modes
— details of the user interface
— transfer of control
— redundancy
— test facilities
— failure detection and identification facilities (automatic and manual)
— data security
— access restrictions
— special areas requiring user attention
— procedures for start-up
— procedures for restoration of functions
— procedures for data back-up
— procedures for software re-load and system regeneration.
Installation manual A document providing information about the installation procedures. Information
(Available for informa-
tion at testing at the man-
ufacturer).
Maintenance manual A document intended for regular use on board providing information about: Information
(Available for informa-
tion at testing at the man- — maintenance and periodical testing
ufacturer) — acceptance criteria
— fault identification and repair
— list of the suppliers' service net
— ship’s systems’ software - maintenance log.
Test program for dock — initial condition Examination
and sea trials — what to test
— how to perform the test
— acceptance criteria for the test.
C 100 General
Guidance note:
101 Essential and important computer based systems shall be
provided with a DNV product certificate. For DNV type Type approval of systems includes hardware, operating system
approved systems, additional testing is only required for the software, standard software modules and standard function
application software programming and function, unless further blocks. If new software modules or function blocks are made,
testing is required in the type approval certificates. The certifi- testing will be required. Application software is project specific
and shall be tested before the certificate can be issued.
cation procedure normally consists of:
Document evaluation ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
— review of documentation listed in Sec.1 B for the appropri- 102 The certification requirement of the various instru-
ate system. mented systems shall follow the same certification require-
ment as the system they control. Reference is made to Ch.1
Manufacturing survey (MS) Sec.1 B200 for the list of relevant Offshore Standards.
— survey of hardware and software 103 Integrated control and safety system shall always be cer-
— test of project specific application software tified.